In Drupal 7 and 8 drupalSettings have traditionally been loaded via inline javascript.
To enable core to support a Content Security Policy (CSP) all inline javascript must be removed as it is incompatible with having a CSP that offers good cross-browser protection against cross-site scripting (XSS) vulnerabilities.
Therefore javascript settings are now put into the page as pure JSON data, which is CSP compatible.
Before
<script>
<!--//--><![CDATA[//><!--
var drupalSettings = {"path":{"baseUrl":"\/","scriptPath":"\/index.php","pathPrefix":""}, ...};
//--><!]]>
</script>
After
<script type="application/json" data-drupal-selector="drupal-settings-json">
{"path":{"baseUrl":"\/","scriptPath":"\/index.php","pathPrefix":""}, ...}
</script>
The settings are then put into the usual window.drupalSettings JS variable by using a drupalSettingsLoader.js that is aggregated with the rest of the javascript.
So for most Javascript this change is 100% transparent.
In case someone needs access to the settings earlier, they can use the following code to access the drupalSettings themselves:
var settingsElement = document.querySelector('script[type="application/json"][data-drupal-selector="drupal-settings-json"]');
var drupalSettings = JSON.parse(settingsElement.textContent);
This should only be needed in very rare edge cases however.
Comments
Missing json data for anonymous users
Hi,
I'm using Chrome. If I'm logged in this data is there and available, if I'm anonymous it's not in the page source.
Any ideas on how to force the output of this data?
Thanks.
You need to declare 'core/drupalSettings' as a dependency
You need to declare
core/drupalSettingsas a dependency so that it gets added to the page when your assets are. Drupal no longer loads JS on pages that don't require it, which is why you're seeing the issue with anonymous users. See Adding stylesheets (CSS) and JavaScript (JS) to a Drupal 8 module.